oasis

0004-Avoid-implicit-pointer-sign-conversions.patch (32126B)

From 44bc6dfcdd2581f64fc869c8863dd590ea947033 Mon Sep 17 00:00:00 2001
From: Michael Forney <mforney@mforney.org>
Date: Thu, 2 Apr 2026 23:52:53 -0700
Subject: [PATCH] Avoid implicit pointer sign conversions
s_client_options:
All option values for clr and off used here fit in a 32-bit int,
the largest being SSL_OP_NO_TLSv1_3=0x20000000L, so make these
fields int.
sm4_ctr_cipher:
CRYPTO_ctr128_encrypt expects an unsigned int *, but ctx->num is
an int. Use a local variable with the correct type to avoid aliasing
issues.
addr_validate_path_internal:
length is used twice, its address is passed to
IPAddressFamily_afi_length, expecting an int *, and addr_contains, also
expecting int, so change its type to int.
tls_decrypt_ticket:
hlen is used for the result of HMAC_size. Though the manual documents
this as returning a size_t, it actually returns an int since it
wraps EVP_MD_size, which can return a negative value. HMAC_Final
expects an unsigned int *, so we need a separate variable for the
final length.
tls13_new_session_ticket_recv:
session_id_length is used twice, its address is passed to EVP_Digest
which expects an unsigned int, and then it is saved in
SSL_SESSION.session_id_length, a size_t. So its type from int to
unsigned int.
All other changes simply make explicit the conversions among pointers
to character types already being done. These implicit conversions
are constraint violations in ISO C.
---
 apps/openssl/ca.c              |  7 ++++---
 apps/openssl/cms.c             |  2 +-
 apps/openssl/s_client.c        |  4 ++--
 crypto/asn1/a_object.c         | 12 ++++++------
 crypto/asn1/a_time.c           |  2 +-
 crypto/asn1/a_time_tm.c        | 22 ++++++++++++----------
 crypto/bio/b_dump.c            |  2 +-
 crypto/bio/bss_mem.c           |  4 ++--
 crypto/bn/bn_convert.c         |  8 ++++----
 crypto/bn/bn_print.c           |  2 +-
 crypto/evp/e_sm4.c             |  4 +++-
 crypto/ocsp/ocsp_cl.c          |  4 ++--
 crypto/pkcs7/pk7_attr.c        |  2 +-
 crypto/x509/x509_addr.c        |  2 +-
 crypto/x509/x509_constraints.c | 18 +++++++++---------
 crypto/x509/x509_obj.c         | 10 +++++-----
 crypto/x509/x509_utl.c         |  8 ++++----
 crypto/x509/x509_verify.c      |  3 ++-
 crypto/x509/x509name.c         |  3 ++-
 ssl/s3_lib.c                   |  2 +-
 ssl/ssl_clnt.c                 |  2 +-
 ssl/ssl_lib.c                  |  8 ++++----
 ssl/ssl_srvr.c                 |  2 +-
 ssl/ssl_tlsext.c               |  3 ++-
 ssl/ssl_txt.c                  |  4 ++--
 ssl/t1_lib.c                   |  4 +++-
 ssl/tls13_client.c             |  8 ++++----
 ssl/tls13_key_schedule.c       | 12 ++++++------
 ssl/tls13_legacy.c             |  2 +-
 ssl/tls13_lib.c                |  3 ++-
 ssl/tls13_record_layer.c       |  2 +-
 ssl/tls13_server.c             | 10 +++++-----
 32 files changed, 96 insertions(+), 85 deletions(-)
diff --git a/apps/openssl/ca.c b/apps/openssl/ca.c
index a2e8a6836..5505983ff 100644
--- a/apps/openssl/ca.c
+++ b/apps/openssl/ca.c
@@ -2197,7 +2197,7 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 
 	if ((tm = X509_get_notAfter(ret)) == NULL)
 		goto err;
-	row[DB_exp_date] = strndup(ASN1_STRING_get0_data(tm),
+	row[DB_exp_date] = strndup((char *)ASN1_STRING_get0_data(tm),
 	    ASN1_STRING_length(tm));
 	if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
 		BIO_printf(bio_err, "Memory allocation failure\n");
@@ -2325,7 +2325,7 @@ do_revoke(X509 *x509, CA_DB *db, int type, char *value)
 
 		if ((tm = X509_get_notAfter(x509)) == NULL)
 			goto err;
-		row[DB_exp_date] = strndup(ASN1_STRING_get0_data(tm),
+		row[DB_exp_date] = strndup((char *)ASN1_STRING_get0_data(tm),
 		    ASN1_STRING_length(tm));
 		if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
 			BIO_printf(bio_err, "Memory allocation failure\n");
@@ -2489,7 +2489,8 @@ do_updatedb(CA_DB *db)
 		cnt = -1;
 		goto err;
 	}
-	a_tm_s = strndup(ASN1_STRING_get0_data(a_tm), ASN1_STRING_length(a_tm));
+	a_tm_s = strndup((char *)ASN1_STRING_get0_data(a_tm),
+	    ASN1_STRING_length(a_tm));
 	if (a_tm_s == NULL) {
 		cnt = -1;
 		goto err;
diff --git a/apps/openssl/cms.c b/apps/openssl/cms.c
index 7430f4c93..a63d6e453 100644
--- a/apps/openssl/cms.c
+++ b/apps/openssl/cms.c
@@ -1512,7 +1512,7 @@ cms_main(int argc, char **argv)
 			cfg.secret_keyid = NULL;
 		}
 		if (cfg.pwri_pass != NULL) {
-			pwri_tmp = strdup(cfg.pwri_pass);
+			pwri_tmp = (unsigned char *)strdup((char *)cfg.pwri_pass);
 			if (pwri_tmp == NULL)
 				goto end;
 			if (CMS_add0_recipient_password(cms, -1, NID_undef,
diff --git a/apps/openssl/s_client.c b/apps/openssl/s_client.c
index 2b05facc1..d12423d0f 100644
--- a/apps/openssl/s_client.c
+++ b/apps/openssl/s_client.c
@@ -194,7 +194,7 @@ static struct {
 	char *cert_file;
 	int cert_format;
 	char *cipher;
-	unsigned int clr;
+	int clr;
 	char *connect;
 	int crlf;
 	int debug;
@@ -215,7 +215,7 @@ static struct {
 	int nbio_test;
 	int no_servername;
 	char *npn_in;
-	unsigned int off;
+	int off;
 	char *passarg;
 	int peekaboo;
 	char *port;
diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index 333ac6034..25e7a2ae6 100644
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -182,7 +182,7 @@ oid_add_arc_txt(CBB *cbb, uint64_t arc, int first)
 	n = snprintf(s, sizeof(s), fmt, (unsigned long long)arc);
 	if (n < 0 || (size_t)n >= sizeof(s))
 		return 0;
-	if (!CBB_add_bytes(cbb, s, n))
+	if (!CBB_add_bytes(cbb, (uint8_t *)s, n))
 		return 0;
 
 	return 1;
@@ -343,7 +343,7 @@ a2d_ASN1_OBJECT(unsigned char *out, int out_len, const char *in, int in_len)
 	if (in_len <= 0)
 		goto err;
 
-	CBS_init(&cbs, in, in_len);
+	CBS_init(&cbs, (uint8_t *)in, in_len);
 
 	if (!CBB_init(&cbb, 0))
 		goto err;
@@ -401,7 +401,7 @@ i2t_ASN1_OBJECT_name(const ASN1_OBJECT *aobj, CBB *cbb, const char **out_name)
 
 	*out_name = name;
 
-	if (!CBB_add_bytes(cbb, name, strlen(name)))
+	if (!CBB_add_bytes(cbb, (uint8_t *)name, strlen(name)))
 		return 0;
 
 	/* NUL terminate. */
@@ -448,7 +448,7 @@ i2t_ASN1_OBJECT_internal(const ASN1_OBJECT *aobj, char *buf, int buf_len, int no
 	if (!CBB_finish(&cbb, &data, &data_len))
 		goto err;
 
-	ret = strlcpy(buf, data, buf_len);
+	ret = strlcpy(buf, (char *)data, buf_len);
  err:
 	CBB_cleanup(&cbb);
 	free(data);
@@ -474,7 +474,7 @@ t2i_ASN1_OBJECT_internal(const char *oid)
 
 	memset(&cbb, 0, sizeof(cbb));
 
-	CBS_init(&cbs, oid, strlen(oid));
+	CBS_init(&cbs, (uint8_t *)oid, strlen(oid));
 
 	if (!CBB_init(&cbb, 0))
 		goto err;
@@ -521,7 +521,7 @@ i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *aobj)
 	if (!CBB_finish(&cbb, &data, &data_len))
 		goto err;
 
-	ret = BIO_write(bp, data, strlen(data));
+	ret = BIO_write(bp, data, strlen((char *)data));
 
  err:
 	CBB_cleanup(&cbb);
diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c
index 3deff56ed..10634c067 100644
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -99,7 +99,7 @@ ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm)
 	time_t now;
 
 	if (s != NULL)
-		return ASN1_time_parse(s->data, s->length, tm, 0) != -1;
+		return ASN1_time_parse((char *)s->data, s->length, tm, 0) != -1;
 
 	time(&now);
 	memset(tm, 0, sizeof(*tm));
diff --git a/crypto/asn1/a_time_tm.c b/crypto/asn1/a_time_tm.c
index dd2893167..c0e0d6245 100644
--- a/crypto/asn1/a_time_tm.c
+++ b/crypto/asn1/a_time_tm.c
@@ -96,7 +96,7 @@ tm_to_gentime(struct tm *tm, ASN1_TIME *atime)
 	}
 
 	free(atime->data);
-	atime->data = time_str;
+	atime->data = (unsigned char *)time_str;
 	atime->length = GENTIME_LENGTH;
 	atime->type = V_ASN1_GENERALIZEDTIME;
 
@@ -122,7 +122,7 @@ tm_to_utctime(struct tm *tm, ASN1_TIME *atime)
 	}
 
 	free(atime->data);
-	atime->data = time_str;
+	atime->data = (unsigned char *)time_str;
 	atime->length = UTCTIME_LENGTH;
 	atime->type = V_ASN1_UTCTIME;
 
@@ -293,7 +293,7 @@ ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
 	if (bytes == NULL)
 		return -1;
 
-	CBS_init(&cbs, bytes, len);
+	CBS_init(&cbs, (uint8_t *)bytes, len);
 
 	if (CBS_len(&cbs) == UTCTIME_LENGTH)
 		type = V_ASN1_UTCTIME;
@@ -401,7 +401,8 @@ ASN1_TIME_check(const ASN1_TIME *t)
 {
 	if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME)
 		return 0;
-	return t->type == ASN1_time_parse(t->data, t->length, NULL, t->type);
+	return t->type == ASN1_time_parse((char *)t->data, t->length, NULL,
+	   t->type);
 }
 LCRYPTO_ALIAS(ASN1_TIME_check);
 
@@ -414,7 +415,7 @@ ASN1_TIME_to_generalizedtime(const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
 	if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME)
 		goto err;
 
-	if (t->type != ASN1_time_parse(t->data, t->length, &tm, t->type))
+	if (t->type != ASN1_time_parse((char *)t->data, t->length, &tm, t->type))
 		goto err;
 
 	if (out == NULL || (agt = *out) == NULL)
@@ -460,7 +461,7 @@ ASN1_TIME_cmp_time_t_internal(const ASN1_TIME *s, time_t t2, int mode)
 	 * one of those pervasive things from OpenSSL we must continue with.
 	 */
 
-	if (ASN1_time_parse(s->data, s->length, &tm1, mode) == -1)
+	if (ASN1_time_parse((char *)s->data, s->length, &tm1, mode) == -1)
 		return -2;
 
 	if (!asn1_time_time_t_to_tm(&t2, &tm2))
@@ -480,10 +481,10 @@ ASN1_TIME_compare(const ASN1_TIME *t1, const ASN1_TIME *t2)
 	if (t2->type != V_ASN1_UTCTIME && t2->type != V_ASN1_GENERALIZEDTIME)
 		return -2;
 
-	if (ASN1_time_parse(t1->data, t1->length, &tm1, t1->type) == -1)
+	if (ASN1_time_parse((char *)t1->data, t1->length, &tm1, t1->type) == -1)
 		return -2;
 
-	if (ASN1_time_parse(t2->data, t2->length, &tm2, t2->type) == -1)
+	if (ASN1_time_parse((char *)t2->data, t2->length, &tm2, t2->type) == -1)
 		return -2;
 
 	return ASN1_time_tm_cmp(&tm1, &tm2);
@@ -511,7 +512,7 @@ ASN1_UTCTIME_check(const ASN1_UTCTIME *d)
 {
 	if (d->type != V_ASN1_UTCTIME)
 		return 0;
-	return d->type == ASN1_time_parse(d->data, d->length, NULL, d->type);
+	return d->type == ASN1_time_parse((char *)d->data, d->length, NULL, d->type);
 }
 LCRYPTO_ALIAS(ASN1_UTCTIME_check);
 
@@ -557,7 +558,8 @@ ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *d)
 {
 	if (d->type != V_ASN1_GENERALIZEDTIME)
 		return 0;
-	return d->type == ASN1_time_parse(d->data, d->length, NULL, d->type);
+	return d->type == ASN1_time_parse((char *)d->data, d->length, NULL,
+	    d->type);
 }
 LCRYPTO_ALIAS(ASN1_GENERALIZEDTIME_check);
 
diff --git a/crypto/bio/b_dump.c b/crypto/bio/b_dump.c
index 3f673205c..40b09dc23 100644
--- a/crypto/bio/b_dump.c
+++ b/crypto/bio/b_dump.c
@@ -86,7 +86,7 @@ BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
 
 	if (len < 0)
 		goto err;
-	CBS_init(&cbs, s, len);
+	CBS_init(&cbs, (uint8_t *)s, len);
 
 	if (indent < 0)
 		indent = 0;
diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c
index 0fa6317a2..afcd6b216 100644
--- a/crypto/bio/bss_mem.c
+++ b/crypto/bio/bss_mem.c
@@ -84,7 +84,7 @@ bio_mem_pending(struct bio_mem *bm)
 static uint8_t *
 bio_mem_read_ptr(struct bio_mem *bm)
 {
-	return &bm->buf->data[bm->read_offset];
+	return (uint8_t *)&bm->buf->data[bm->read_offset];
 }
 
 static int mem_new(BIO *bio);
@@ -349,7 +349,7 @@ mem_gets(BIO *bio, char *out, int out_len)
 		return 0;
 	}
 
-	p = bio_mem_read_ptr(bm);
+	p = (char *)bio_mem_read_ptr(bm);
 	for (i = 0; i < out_max; i++) {
 		if (p[i] == '\n') {
 			i++;
diff --git a/crypto/bn/bn_convert.c b/crypto/bn/bn_convert.c
index ab5bc519c..cb006a209 100644
--- a/crypto/bn/bn_convert.c
+++ b/crypto/bn/bn_convert.c
@@ -261,7 +261,7 @@ BN_asc2bn(BIGNUM **bnp, const char *s)
 	if ((s_len = strlen(s)) == 0)
 		return 0;
 
-	CBS_init(&cbs, s, s_len);
+	CBS_init(&cbs, (uint8_t *)s, s_len);
 
 	/* Handle negative sign. */
 	if (!CBS_peek_u8(&cbs, &v))
@@ -373,7 +373,7 @@ BN_bn2dec(const BIGNUM *bn)
 	CBB_cleanup(&cbb);
 	freezero(data, data_len);
 
-	return s;
+	return (char *)s;
 }
 LCRYPTO_ALIAS(BN_bn2dec);
 
@@ -476,7 +476,7 @@ BN_dec2bn(BIGNUM **bnp, const char *s)
 	if ((s_len = strlen(s)) == 0)
 		return 0;
 
-	CBS_init(&cbs, s, s_len);
+	CBS_init(&cbs, (uint8_t *)s, s_len);
 
 	return bn_dec2bn_cbs(bnp, &cbs);
 }
@@ -677,7 +677,7 @@ BN_hex2bn(BIGNUM **bnp, const char *s)
 	if ((s_len = strlen(s)) == 0)
 		return 0;
 
-	CBS_init(&cbs, s, s_len);
+	CBS_init(&cbs, (uint8_t *)s, s_len);
 
 	return bn_hex2bn_cbs(bnp, &cbs);
 }
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index cd8b66360..655732413 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -82,7 +82,7 @@ bn_print_bignum(BIO *bio, const BIGNUM *bn, int indent)
 	if (!bn_bn2hex_nosign(bn, &hex, &hex_len))
 		goto err;
 
-	CBS_init(&cbs, hex, hex_len);
+	CBS_init(&cbs, (uint8_t *)hex, hex_len);
 
 	if (BN_is_negative(bn)) {
 		if (BIO_printf(bio, " (Negative)") <= 0)
diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c
index cde2f6c64..9f8b13ed1 100644
--- a/crypto/evp/e_sm4.c
+++ b/crypto/evp/e_sm4.c
@@ -237,9 +237,11 @@ sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
     size_t len)
 {
 	EVP_SM4_KEY *key = ((EVP_SM4_KEY *)(ctx)->cipher_data);
+	unsigned int num;
 
 	CRYPTO_ctr128_encrypt(in, out, len, &key->ks, ctx->iv, ctx->buf,
-	    &ctx->num, (block128_f)SM4_encrypt);
+	    &num, (block128_f)SM4_encrypt);
+	ctx->num = num;
 	return 1;
 }
 
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index 460c1bce5..15a70b1c5 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -410,7 +410,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
 	 * (such as UTCTIME permitted/required by RFC 5280 for certificates)
 	 */
 	/* Check that thisUpdate is valid. */
-	if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
+	if (ASN1_time_parse((char *)thisupd->data, thisupd->length, &tm_this,
 	    V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
 		OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
 		return 0;
@@ -433,7 +433,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
 		return 1;
 
 	/* Check that nextUpdate is valid. */
-	if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
+	if (ASN1_time_parse((char *)nextupd->data, nextupd->length, &tm_next,
 	    V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
 		OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
 		return 0;
diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c
index f2e17806d..cb6b2e84f 100644
--- a/crypto/pkcs7/pk7_attr.c
+++ b/crypto/pkcs7/pk7_attr.c
@@ -192,7 +192,7 @@ PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t)
 	}
 
 	/* RFC 5652, section 11.3 - UTCTime for the years 1950-2049. */
-	if (ASN1_time_parse(tm->data, tm->length, NULL, tm->type) == -1)
+	if (ASN1_time_parse((char *)tm->data, tm->length, NULL, tm->type) == -1)
 		goto err;
 	if (!PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, tm->type, tm))
 		goto err;
diff --git a/crypto/x509/x509_addr.c b/crypto/x509/x509_addr.c
index b4ee92a14..615375dd6 100644
--- a/crypto/x509/x509_addr.c
+++ b/crypto/x509/x509_addr.c
@@ -1875,7 +1875,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 	X509 *cert = NULL;
 	int depth = -1;
 	int i;
-	unsigned int length;
+	int length;
 	int ret = 1;
 
 	/* We need a non-empty chain to test against. */
diff --git a/crypto/x509/x509_constraints.c b/crypto/x509/x509_constraints.c
index c4f32c9cf..597fdde06 100644
--- a/crypto/x509/x509_constraints.c
+++ b/crypto/x509/x509_constraints.c
@@ -347,7 +347,7 @@ x509_constraints_parse_mailbox(CBS *candidate,
 
 	for (i = 0; i < len; i++) {
 		char c;
-		if (!CBS_get_u8(&copy, &c))
+		if (!CBS_get_u8(&copy, (uint8_t *)&c))
 			goto bad;
 		/* non ascii, cr, lf, or nul is never allowed */
 		if (!isascii(c) || c == '\r' || c == '\n' || c == '\0')
@@ -445,7 +445,7 @@ x509_constraints_parse_mailbox(CBS *candidate,
 	}
 	if (candidate_local == NULL || candidate_domain == NULL)
 		goto bad;
-	CBS_init(&domain_cbs, candidate_domain, strlen(candidate_domain));
+	CBS_init(&domain_cbs, (uint8_t *)candidate_domain, strlen(candidate_domain));
 	if (!x509_constraints_valid_host(&domain_cbs, 0))
 		goto bad;
 
@@ -549,7 +549,7 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart)
 			if (host != NULL)
 				break;
 			/* start after the userinfo part */
-			host = uri + i + 1;
+			host = (char *)uri + i + 1;
 			continue;
 		}
 		/* did we find the end? */
@@ -561,8 +561,8 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart)
 	if (hostlen == 0)
 		return 0;
 	if (host == NULL)
-		host = authority;
-	CBS_init(&host_cbs, host, hostlen);
+		host = (char *)authority;
+	CBS_init(&host_cbs, (uint8_t *)host, hostlen);
 	if (!x509_constraints_valid_host(&host_cbs, 1))
 		return 0;
 	if (hostpart != NULL && !CBS_strdup(&host_cbs, hostpart))
@@ -667,8 +667,8 @@ x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint,
 		*error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX;
 		goto err;
 	}
-	ret = x509_constraints_domain(hostpart, strlen(hostpart), constraint,
-	    len);
+	ret = x509_constraints_domain(hostpart, strlen(hostpart),
+	    (char *)constraint, len);
  err:
 	free(hostpart);
 	return ret;
@@ -1018,7 +1018,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
 	case GEN_DNS:
 		if (!x509_constraints_valid_domain_constraint(&cbs))
 			goto err;
-		if ((name->name = strndup(bytes, len)) == NULL) {
+		if ((name->name = strndup((char *)bytes, len)) == NULL) {
 			error = X509_V_ERR_OUT_OF_MEM;
 			goto err;
 		}
@@ -1064,7 +1064,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
 	case GEN_URI:
 		if (!x509_constraints_valid_domain_constraint(&cbs))
 			goto err;
-		if ((name->name = strndup(bytes, len)) == NULL) {
+		if ((name->name = strndup((char *)bytes, len)) == NULL) {
 			error = X509_V_ERR_OUT_OF_MEM;
 			goto err;
 		}
diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
index db1741cc9..43afeb8cf 100644
--- a/crypto/x509/x509_obj.c
+++ b/crypto/x509/x509_obj.c
@@ -78,13 +78,13 @@ X509_NAME_ENTRY_add_object_cbb(CBB *cbb, const ASN1_OBJECT *aobj)
 	/* Prefer SN over LN, and fall back to textual representation of OID. */
 	if ((nid = OBJ_obj2nid(aobj)) != NID_undef) {
 		if ((str = OBJ_nid2sn(nid)) != NULL)
-			return CBB_add_bytes(cbb, str, strlen(str));
+			return CBB_add_bytes(cbb, (uint8_t *)str, strlen(str));
 		if ((str = OBJ_nid2ln(nid)) != NULL)
-			return CBB_add_bytes(cbb, str, strlen(str));
+			return CBB_add_bytes(cbb, (uint8_t *)str, strlen(str));
 	}
 	if (OBJ_obj2txt(buf, sizeof(buf), aobj, 1) == 0)
 		return 0;
-	return CBB_add_bytes(cbb, buf, strlen(buf));
+	return CBB_add_bytes(cbb, (uint8_t *)buf, strlen(buf));
 }
 
 static int
@@ -183,9 +183,9 @@ X509_NAME_oneline(const X509_NAME *a, char *buf, int len)
 		goto err;
 
 	if (buf == NULL)
-		return line;
+		return (char *)line;
 
-	strlcpy(buf, line, len);
+	strlcpy(buf, (char *)line, len);
 	free(line);
 
 	return buf;
diff --git a/crypto/x509/x509_utl.c b/crypto/x509/x509_utl.c
index 2e60834ed..0746ac0c5 100644
--- a/crypto/x509/x509_utl.c
+++ b/crypto/x509/x509_utl.c
@@ -504,7 +504,7 @@ hex_to_string(const unsigned char *buffer, long len)
  err:
 	CBB_cleanup(&cbb);
 
-	return out;
+	return (char *)out;
 }
 LCRYPTO_ALIAS(hex_to_string);
 
@@ -569,7 +569,7 @@ string_to_hex(const char *str, long *len)
 		goto err;
 	}
 
-	CBS_init(&cbs, str, strlen(str));
+	CBS_init(&cbs, (uint8_t *)str, strlen(str));
 	while (CBS_len(&cbs) > 0) {
 		/*
 		 * Skipping only a single colon between two pairs of digits
@@ -813,7 +813,7 @@ equal_nocase(const unsigned char *pattern, size_t pattern_len,
 	skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
 	if (pattern_len != subject_len)
 		return 0;
-	return (strncasecmp(pattern, subject, pattern_len) == 0);
+	return (strncasecmp((char *)pattern, (char *)subject, pattern_len) == 0);
 }
 
 /* Compare using strncmp. */
@@ -828,7 +828,7 @@ equal_case(const unsigned char *pattern, size_t pattern_len,
 	skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
 	if (pattern_len != subject_len)
 		return 0;
-	return (strncmp(pattern, subject, pattern_len) == 0);
+	return (strncmp((char *)pattern, (char *)subject, pattern_len) == 0);
 }
 
 /*
diff --git a/crypto/x509/x509_verify.c b/crypto/x509/x509_verify.c
index fc3fbc14d..95c6cf359 100644
--- a/crypto/x509/x509_verify.c
+++ b/crypto/x509/x509_verify.c
@@ -55,7 +55,8 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
 	if (atime == NULL)
 		return 0;
 
-	type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
+	type = ASN1_time_parse((char *)atime->data, atime->length, &tm,
+	    atime->type);
 	if (type == -1)
 		return 0;
 
diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c
index e60d8b7a3..5fc4d2ee0 100644
--- a/crypto/x509/x509name.c
+++ b/crypto/x509/x509name.c
@@ -107,7 +107,8 @@ X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf,
 		goto err;
 	/* We still support the "pass NULL to find out how much" API */
 	if (buf != NULL) {
-		if (len <= 0 || !CBS_write_bytes(&cbs, buf, len - 1, NULL))
+		if (len <= 0 || !CBS_write_bytes(&cbs, (uint8_t *)buf,
+		    len - 1, NULL))
 			goto err;
 		/* It must be a C string */
 		buf[text_len] = '\0';
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index bcf26bec4..431af32f2 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1551,7 +1551,7 @@ _SSL_set_tlsext_host_name(SSL *s, const char *name)
 	if (name == NULL)
 		return 1;
 
-	CBS_init(&cbs, name, strlen(name));
+	CBS_init(&cbs, (uint8_t *)name, strlen(name));
 
 	if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) {
 		SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
diff --git a/ssl/ssl_clnt.c b/ssl/ssl_clnt.c
index 6ef81a170..ffc55e5f9 100644
--- a/ssl/ssl_clnt.c
+++ b/ssl/ssl_clnt.c
@@ -2337,7 +2337,7 @@ ssl3_send_client_change_cipher_spec(SSL *s)
 	memset(&cbb, 0, sizeof(cbb));
 
 	if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) {
-		if (!CBB_init_fixed(&cbb, s->init_buf->data,
+		if (!CBB_init_fixed(&cbb, (uint8_t *)s->init_buf->data,
 		    s->init_buf->length))
 			goto err;
 		if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 630724e67..32ab5332a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2004,12 +2004,12 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t out_len,
 			context = NULL;
 			context_len = 0;
 		}
-		return tls13_exporter(s->tls13, label, label_len, context,
-		    context_len, out, out_len);
+		return tls13_exporter(s->tls13, (uint8_t *)label, label_len,
+		    context, context_len, out, out_len);
 	}
 
-	return tls12_exporter(s, label, label_len, context, context_len,
-	    use_context, out, out_len);
+	return tls12_exporter(s, (uint8_t *)label, label_len, context,
+	    context_len, use_context, out, out_len);
 }
 LSSL_ALIAS(SSL_export_keying_material);
 
diff --git a/ssl/ssl_srvr.c b/ssl/ssl_srvr.c
index af4b20f6c..e877bb3f9 100644
--- a/ssl/ssl_srvr.c
+++ b/ssl/ssl_srvr.c
@@ -2378,7 +2378,7 @@ ssl3_send_server_change_cipher_spec(SSL *s)
 	memset(&cbb, 0, sizeof(cbb));
 
 	if (s->s3->hs.state == SSL3_ST_SW_CHANGE_A) {
-		if (!CBB_init_fixed(&cbb, s->init_buf->data,
+		if (!CBB_init_fixed(&cbb, (uint8_t *)s->init_buf->data,
 		    s->init_buf->length))
 			goto err;
 		if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
diff --git a/ssl/ssl_tlsext.c b/ssl/ssl_tlsext.c
index d879b3304..2b75b0fbb 100644
--- a/ssl/ssl_tlsext.c
+++ b/ssl/ssl_tlsext.c
@@ -808,7 +808,8 @@ tlsext_sni_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 			*alert = SSL_AD_UNRECOGNIZED_NAME;
 			goto err;
 		}
-		if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
+		if (!CBS_mem_equal(&host_name,
+		    (uint8_t *)s->session->tlsext_hostname,
 		    strlen(s->session->tlsext_hostname))) {
 			*alert = SSL_AD_UNRECOGNIZED_NAME;
 			goto err;
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 4ed76c95a..1ad3b9255 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -170,8 +170,8 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
 	if (x->tlsext_tick != NULL) {
 		if (BIO_puts(bp, "\n    TLS session ticket:\n") <= 0)
 			goto err;
-		if (BIO_dump_indent(bp, x->tlsext_tick, x->tlsext_ticklen,
-		    4) <= 0)
+		if (BIO_dump_indent(bp, (char *)x->tlsext_tick,
+		    x->tlsext_ticklen, 4) <= 0)
 			goto err;
 	}
 
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 912bea592..c93107383 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1014,6 +1014,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 	EVP_CIPHER_CTX *cctx = NULL;
 	SSL_CTX *tctx = s->initial_ctx;
 	int slen, hlen, iv_len;
+	unsigned int hlenu;
 	int alert_desc = SSL_AD_INTERNAL_ERROR;
 	int ret = TLS1_TICKET_FATAL_ERROR;
 
@@ -1108,8 +1109,9 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 	if (HMAC_Update(hctx, CBS_data(&ticket_encdata),
 	    CBS_len(&ticket_encdata)) <= 0)
 		goto err;
-	if (HMAC_Final(hctx, hmac, &hlen) <= 0)
+	if (HMAC_Final(hctx, hmac, &hlenu) <= 0)
 		goto err;
+	hlen = hlenu;
 
 	if (!CBS_mem_equal(&ticket_hmac, hmac, hlen))
 		goto derr;
diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
index 21d396079..a837b85fe 100644
--- a/ssl/tls13_client.c
+++ b/ssl/tls13_client.c
@@ -668,7 +668,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
 	    sizeof(tls13_cert_verify_pad)))
 		goto err;
 	if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context,
-	    strlen(tls13_cert_server_verify_context)))
+	    strlen((char *)tls13_cert_server_verify_context)))
 		goto err;
 	if (!CBB_add_u8(&cbb, 0))
 		goto err;
@@ -722,7 +722,7 @@ int
 tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-	struct tls13_secret context = { .data = "", .len = 0 };
+	struct tls13_secret context = { .data = (uint8_t *)"", .len = 0 };
 	struct tls13_secret finished_key;
 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
 	size_t transcript_hash_len;
@@ -944,7 +944,7 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 	    sizeof(tls13_cert_verify_pad)))
 		goto err;
 	if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context,
-	    strlen(tls13_cert_client_verify_context)))
+	    strlen((char *)tls13_cert_client_verify_context)))
 		goto err;
 	if (!CBB_add_u8(&sig_cbb, 0))
 		goto err;
@@ -1005,7 +1005,7 @@ int
 tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 {
 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-	struct tls13_secret context = { .data = "", .len = 0 };
+	struct tls13_secret context = { .data = (uint8_t *)"", .len = 0 };
 	struct tls13_secret finished_key = { .data = NULL, .len = 0 };
 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
 	size_t transcript_hash_len;
diff --git a/ssl/tls13_key_schedule.c b/ssl/tls13_key_schedule.c
index 05bcf0f00..19afc7999 100644
--- a/ssl/tls13_key_schedule.c
+++ b/ssl/tls13_key_schedule.c
@@ -160,8 +160,8 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
     const struct tls13_secret *secret, const char *label,
     const struct tls13_secret *context)
 {
-	return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
-	    strlen(label), context);
+	return tls13_hkdf_expand_label_with_length(out, digest, secret,
+	    (uint8_t *)label, strlen(label), context);
 }
 
 int
@@ -185,7 +185,7 @@ tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
 		goto err;
 	if (!CBB_add_u8_length_prefixed(&cbb, &child))
 		goto err;
-	if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel)))
+	if (!CBB_add_bytes(&child, (uint8_t *)tls13_plabel, strlen(tls13_plabel)))
 		goto err;
 	if (!CBB_add_bytes(&child, label, label_len))
 		goto err;
@@ -362,7 +362,7 @@ tls13_derive_application_secrets(struct tls13_secrets *secrets,
 int
 tls13_update_client_traffic_secret(struct tls13_secrets *secrets)
 {
-	struct tls13_secret context = { .data = "", .len = 0 };
+	struct tls13_secret context = { .data = (uint8_t *)"", .len = 0 };
 
 	if (!secrets->init_done || !secrets->early_done ||
 	    !secrets->handshake_done || !secrets->schedule_done)
@@ -376,7 +376,7 @@ tls13_update_client_traffic_secret(struct tls13_secrets *secrets)
 int
 tls13_update_server_traffic_secret(struct tls13_secrets *secrets)
 {
-	struct tls13_secret context = { .data = "", .len = 0 };
+	struct tls13_secret context = { .data = (uint8_t *)"", .len = 0 };
 
 	if (!secrets->init_done || !secrets->early_done ||
 	    !secrets->handshake_done || !secrets->schedule_done)
@@ -423,7 +423,7 @@ tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
 
 	/* In TLSv1.3 no context is equivalent to an empty context. */
 	if (context_value == NULL) {
-		context_value = "";
+		context_value = (uint8_t *)"";
 		context_value_len = 0;
 	}
 
diff --git a/ssl/tls13_legacy.c b/ssl/tls13_legacy.c
index 6a06330b2..220999745 100644
--- a/ssl/tls13_legacy.c
+++ b/ssl/tls13_legacy.c
@@ -359,7 +359,7 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
 	if (!BUF_MEM_grow_clean(s->init_buf, CBS_len(&cbs)))
 		goto err;
-	if (!CBS_write_bytes(&cbs, s->init_buf->data,
+	if (!CBS_write_bytes(&cbs, (uint8_t *)s->init_buf->data,
 	    s->init_buf->length, NULL))
 		goto err;
 
diff --git a/ssl/tls13_lib.c b/ssl/tls13_lib.c
index c3470b293..5d9f15950 100644
--- a/ssl/tls13_lib.c
+++ b/ssl/tls13_lib.c
@@ -378,7 +378,8 @@ tls13_new_session_ticket_recv(struct tls13_ctx *ctx, CBS *cbs)
 	uint32_t ticket_lifetime, ticket_age_add;
 	CBS ticket_nonce, ticket;
 	SSL_SESSION *sess = NULL;
-	int alert, session_id_length;
+	int alert;
+	unsigned int session_id_length;
 	ssize_t ret = 0;
 
 	memset(&nonce, 0, sizeof(nonce));
diff --git a/ssl/tls13_record_layer.c b/ssl/tls13_record_layer.c
index f5604adbe..9bdd61c91 100644
--- a/ssl/tls13_record_layer.c
+++ b/ssl/tls13_record_layer.c
@@ -467,7 +467,7 @@ static int
 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash,
     struct tls13_record_protection *rp, struct tls13_secret *traffic_key)
 {
-	struct tls13_secret context = { .data = "", .len = 0 };
+	struct tls13_secret context = { .data = (uint8_t *)"", .len = 0 };
 	struct tls13_secret key = { .data = NULL, .len = 0 };
 	int ret = 0;
 
diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c
index 604dab4cb..2beb72636 100644
--- a/ssl/tls13_server.c
+++ b/ssl/tls13_server.c
@@ -728,7 +728,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 	    sizeof(tls13_cert_verify_pad)))
 		goto err;
 	if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context,
-	    strlen(tls13_cert_server_verify_context)))
+	    strlen((char *)tls13_cert_server_verify_context)))
 		goto err;
 	if (!CBB_add_u8(&sig_cbb, 0))
 		goto err;
@@ -783,7 +783,7 @@ int
 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 {
 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-	struct tls13_secret context = { .data = "", .len = 0 };
+	struct tls13_secret context = { .data = (uint8_t *)"", .len = 0 };
 	struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
 	size_t transcript_hash_len;
@@ -840,7 +840,7 @@ int
 tls13_server_finished_sent(struct tls13_ctx *ctx)
 {
 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-	struct tls13_secret context = { .data = "", .len = 0 };
+	struct tls13_secret context = { .data = (uint8_t *)"", .len = 0 };
 
 	/*
 	 * Derive application traffic keys.
@@ -959,7 +959,7 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
 	    sizeof(tls13_cert_verify_pad)))
 		goto err;
 	if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context,
-	    strlen(tls13_cert_client_verify_context)))
+	    strlen((char *)tls13_cert_client_verify_context)))
 		goto err;
 	if (!CBB_add_u8(&cbb, 0))
 		goto err;
@@ -1020,7 +1020,7 @@ int
 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-	struct tls13_secret context = { .data = "", .len = 0 };
+	struct tls13_secret context = { .data = (uint8_t *)"", .len = 0 };
 	struct tls13_secret finished_key;
 	uint8_t *verify_data = NULL;
 	size_t verify_data_len;
-- 
2.49.0